Episode #4: NIST's new post-quantum cryptography standards are here, so what comes next? This episode of Dark Reading Confidential digs into the world of quantum computing from a cybersecurity practitioner's point of view — with guests Matthew McFadden, vice president, Cyber, General Dynamics Information Technology (GDIT) and Thomas Scanlon, professor, Heinz College, Carnegie Mellon University.

Dark Reading Confidential: Quantum Has Landed, So Now What?

A Dark Reading poll reveals widespread concern over disinformation about election integrity and voter fraud, even as Russia steps up deepfake attacks meant to sow distrust in the voting process among the electorate.

Source: Brain light via Alamy Stock Photo

As voting in the 2024 US presidential election draws to a close today, disinformation remains the most top-of-mind voting-adjacent threat for cybersecurity professionals.

That's according to a fresh Dark Reading poll of nearly 1,000 readers, who were asked: "What are you most concerned about when it comes to election-related security threats?"

The top answer, accounting for 41% of the responses, was "deepfakes, misinformation, and disinformation." That was followed by tampering of polling data (23%); hacking operations by other countries like Russia, China, and Iran (20%); and AI-powered high-volume phishing using election lures (16%).

**Debunking Deepfaked Videos US Elections "Never More Secure"**

The results come as US federal agencies dismissed two inflammatory videos purporting to show vote tampering; the videos, they said, are merely the work of Russian adversaries using deepfake technologies to sow distrust in the electoral process and call the results into question.

One of the videos, debunked by the Office of the Director of National Intelligence (ODNI), the FBI, and the Cybersecurity and Infrastructure Agency (CISA), shows protestors supposedly destroying ballots in the battleground district of Bucks County, Pennsylvania. The other shows what it claims is video evidence of an illegal immigrant from Haiti voting over and over, in multiple counties in Georgia. The FBI and CISA also discounted the clip as fake and the work of Russian threat actors.

The videos are the latest efforts by a threat actor known as Storm-1516, which in September reached millions of viewers with a video showing alleged Harris supporters attacking attendees at a rally with Republican candidate Donald Trump; and with another that claimed Democratic candidate Kamala Harris’ was responsible for a hit-and-run car accident.

"US govt calls out more election-related Russian troll farm nonsense. Expect more of this. They’re flooding the zone, exploiting historical (and current) tropes, including racial issues," former CISA Director Chris Krebs said in a series of posts on social platform X. "This will only continue thru the count & certification process. Important to rapidly identify and debunk this garbage, and for platforms to label as foreign generated or remove entirely."

He added, "Some mental toughness is in order right now. Voters regardless of political affiliation need to remain aware they’re being targeted and not fall for it."

Blackbird.AI senior intelligence analyst Rennie Westcott agrees with Krebs that Election Day is unlikely to be the end of the efforts to create distrust in US election processes.  

"Foreign adversaries will try to confuse Americans about the authenticity of state election results after the polls close and tallies begin to trickle in," he says, adding that there will likely be ongoing efforts to "fan internal social division," including targeting minorities in swing states.

Current CISA Director Jen Easterly also has acknowledged the "firehouse of disinformation" that has been swirling around the election so far, driving fears of voter fraud and election tampering, especially among Republicans. The onslaught of distrust has been advanced considerably in the last year through the use of generative AI and deepfake capabilities. But she reiterated in a series of interviews with media that voting infrastructure is nearly bulletproof, and the US elections "have never been more secure."

“I can say \[that\] with confidence based on all the work that we've done together since 2016," Easterly told National Public Radio. “There are cyber threats, there are physical threats to election officials, but we're at a point now with our election infrastructure secure and the election community prepared to meet the moment on the 5th of November.”

In the meantime though, Blackbird.AI senior intelligence analyst Rennie Westcott agrees with Krebs that Election Day is unlikely to be the end of the efforts to create distrust in US election processes, so it's best to be prepared for more conspiracy theories about voting fraud and the like to continue to circulate.

"Foreign adversaries will try to confuse Americans about the authenticity of state election results after the polls close and tallies begin to trickle in," he says, adding that there will likely be ongoing efforts to "fan internal social division," including targeting minorities in swing states with tailored disinformation.

Don't miss the latest Dark Reading Confidential podcast, where we talk about NIST's post-quantum cryptography standards and what comes next for cybersecurity practitioners. Guests from General Dynamics Information Technology (GDIT) and Carnegie Mellon University break it all down. Listen now!

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

On Election Day, Disinformation Worries Security Pros the Most

The Iran-linked group Emennet Pasargad aims to undermine public confidence in Israeli and Western nations by using hack-and-leak campaigns and disrupting government services, including elections.

Source: Muhammad Toqueer via Shutterstock

An Iranian cyber-operations group, Emennet Pasargad — also known as Cotton Sandstorm — has broadened its attacks, expanding its targets beyond Israel and the United States and targeting new IT assets, such as IP cameras.

In an advisory published last week, the US Departments of Justice and Treasury — along with the Israel National Cyber Directorate (INCD) — called out the change in tactics and noted that the group had provided resources and infrastructure services to Middle Eastern threat groups by operating as a legitimate company, Aria Sepehr Ayandehsazan (ASA). In addition, since the beginning of the year, Emennet Pasargad has scanned for IP cameras, targeted organizations in France and Sweden, and actively probed a variety of election sites and systems, according to the government advisory.

"Similar to the Emennet campaign that targeted the 2020 U.S. Presidential election, the FBI judges the group's recent campaigns include a mix of computer intrusion activity and exaggerated or fictitious claims of access to victim networks or stolen data to enhance the psychological effects of their operations," the advisory stated.

The latest intelligence highlights Iran's increasing use of cyber operations as a way to target its perceived enemies. In 2020 and 2022, Emennet Pasargad created disinformation campaigns to target the US presidential and midterm elections, posing as Proud Boys volunteers and sending fake videos to Republican lawmakers. The US Department of Justice indicted two Iranian nationals for the crimes, as well as for sending threats through email and attempting to hack election websites.

Related:DPRK Uses Microsoft Zero-Day in No-Click Toast Attacks

Over the past year, Iran has stepped up its attempts to use cyberattacks to disrupt its enemies using bolder tactics, says John Fokker, head of threat intelligence for Trellix, a threat detection and response firm.

"Since October 2023, the beginning of the Israeli-Palestine crisis, Iranian hackers have intensified their activities against the United States and Israel, targeting critical sectors such as government, energy, and finance," he says. "We have observed Iran-linked actors disrupting organizations by stealing sensitive data, conducting denial-of-service attacks, and also deploying destructive malware such as ransomware or wiper strains, like the Handala wiper."

**Iranian Cyberattackers Broaden Their Sights**

Emennet Pasargad often operates by posing as a legitimate IT services company, ASA, as a front for accessing large language model (LLM) services and to scan and harvest data on IP cameras. The group has "used several cover hosting providers for infrastructure management and obfuscation," the Joint Cybersecurity Advisory added.

Related:South Korean APT Exploits 1-Click WPS Office Bug, Nabs Chinese Intel

The use of a cover organization to hide operations and make them seem legitimate is a common approach for Iranian threat actors, says Tomer Bar, vice president of security research at SafeBreach, a breach and attack simulation platform provider which has offices in Tel Aviv. For instance, Charming Kitten, or APT35, conducted reconnaissance and attacks under the guise of two companies, Najee Technology and Afkar System, which were sanctioned by the US Treasury Department in 2022.

"The usage of a cover company is not new, and it has been used by Iran both for espionage and distractive purposes," Bar says.

It also gives groups the ability to use commercial services as part of their infrastructure and hide their activities — for a time, says Trellix's Fokker.

"Threat actors have to acquire resources, software and hosting for their illicit activities," he says. "Having a 'legitimate' front company will make it easier to acquire these services and can serve as additional backstopping to give a plausible deniability."

**Governments, Businesses Should Take Stock**

The changing tactics underscore that organizations need to continually adjust their defenses to head off threat groups. Companies and government agencies should only buy technology and software from trusted vendors, and should make sure that those vendors have their own supply chain validation and vulnerability-remediation processes.

Related:BlankBot Trojan Targets Turkish Android Users

The Joint Cybersecurity Advisory called for organizations to review any successful authentications to network or cloud services that come from virtual private network services, such as Private Internet Access, ExpressVPN, and NordVPN. In addition to regularly applying updates and creating a resilient backup process, companies should consider deploying a "demilitarized zone" (DMZ) between any internet-facing assets and the corporate network, validating user input, and implementing least-privilege policies across their networks and applications.

SafeBreach has encountered attackers regularly scanning LinkedIn for workers who update their profiles with a new position, sending a spear-phishing text or email as a company administrator requesting that they log into a corporate system. The attackers then capture the victim's credentials through a malicious link.

Trellix's Fokker also stressed that companies should focus on their connected devices, applying patches for cameras and other hardware, using network segmentation to protect them, and regularly scanning their own IP space, before an attacker does.

"More and more governments are exploring the proactive scanning of IP spaces and notification of domestic organizations as an additional layer on top of stronger manufacturer requirements," he says. "First and foremost, it should be the responsibility of the organization itself. However, it will help if the government assists in this process and alerts unknowing organizations of their vulnerable cameras."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Iranian APT Group Targets IP Cameras, Extends Attacks Beyond Israel

The Pakistan-based advanced persistent threat actor has been carrying on a cyber-espionage campaign targeting organizations on the subcontinent for more than a decade, and it's now using a new and improved "ElizaRAT" malware.

Source: Mehaniq vis Shutterstock

Pakistan's APT36 threat group is using a new and improved version of its core ElizaRAT custom implant, in what appears to be a growing number of successful attacks on Indian government agencies, military entities, and diplomatic missions over the past year.

The latest ElizaRAT variant includes new evasion techniques, enhanced command-and-control (C2) capabilities, and an additional dropper component that makes it harder for defenders to detect the malware, researchers at Check Point Research (CPR) discovered when analyzing the group's activities recently. Heightening the threat is a new stealer payload dubbed ApoloStealer, which APT36 has begun using to collect targeted file types from compromised systems, store their metadata, and transfer the information to the attacker's C2 server.

**A Step-by-Step Cyberattack Capability**

"With the introduction of their new stealer, the group can now implement a 'step-by-step' approach, deploying malware tailored to specific targets," says Sergey Shykevich, threat intelligence group manager at Check Point Software. "This ensures that even if defenders detect their activities, they primarily find only a segment of the overall malware arsenal."

Heightening the challenge is the threat group's using of legitimate software, living off the land binaries (LoLBins), and legitimate services like Telegram, Slack, and Google Drive for C2 communications. The use of these services has significantly complicated the task of tracking malware communications in network traffic, Shykevich says.

APT36, who security vendors variously track as Transparent Tribe, Operation C-Major, Earth Karkaddan, and Mythic Leopard, is a Pakistani threat group that. since around 2013, has primarily targeted Indian government and military entities in numerous intelligence gathering operations. Like many other tightly focused threat groups, APT36s campaigns have occasionally targeted organizations in other countries, including Europe, Australia, and the US.

The threat actor's current malware portfolio includes tools for compromising Windows, Android, and increasingly, Linux devices. Earlier this year, BlackBerry reported an APT36 campaign where 65% of the group's attacks involved ELF binaries (Linkable Executable and Linkable Format) targeting Maya OS, a Unix-like operating system that India's defense ministry has developed as an alternative to Windows. And SentinelOne last year reported observing APT36 using romantic lures to spread malware called CopraRAT on Android devices belonging to Indian diplomatic and military personnel.

ElizaRAT is malware that the threat actor incorporated into its attack kit last September. The group has been distributing the malware via phishing emails containing links to malicious Control Panel files (CPL) stored on Google Storage. When a user opens the CPL file, it runs code that initiates the malware infection on their device, potentially giving the attacker remote access or control over the system.

**Three Campaigns, Three Versions**

Check Point researchers observed APT36 actors using at least three different versions of ElizaRAT in three separate campaigns — all targeting Indian entities — over the past year.

The first was an ElizaRAT variant that used Slack channels as C2 infrastructure. APT36 began using that variant sometime late last year and about a month later began deploying ApoloStealer with it. Starting early this year, the threat group switched to using a dropper component to stealthily drop and unpack a compressed file containing a new and improved version of ElizaRAT. The new variant, like its predecessor first checked to verify if the time zone of the machine it was on was set to Indian Standard Time before executing and further malicious activity.

The latest — third — version uses Google Drive for C2 communications. It lands on victim systems via malicious CPL files that act as a dropper for ElizaRAT. The CPL files execute a variety of tasks including creating a working directory for the malware, establishing persistence and registering the victim with the C2 server. What sets the latest version apart from the two previous ElizaRAT iteration is its continuous use of cloud services like Google Cloud for its C2 communication, Shykevich says. In addition, the latest APT36 campaign features a new USB stealer called ConnectX that the threat actor is using to examine files on USBs and other external drives that might be attached to a compromised device, he says.

"Introducing new payloads such as ApolloStealer marks a significant expansion of APT36’s malware arsenal and suggests the group is adopting a more flexible, modular approach to payload deployment," CPR said in its report. "These methods primarily focus on data collection and exfiltration, underscoring their sustained emphasis on intelligence gathering and espionage."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

APT36 Refines Tools in Attacks on Indian Targets

The security researcher who notified the media of the breach will be free from the city's lawsuit, but not without a caveat.

Source: Gregg Vignal via Alamy Stock Photo

The city of Columbus, Ohio, has come to a settlement with whistleblower David Leroy Ross, also known as Connor Goodwolf, after he alerted the local media of compromised personal information of the city's residents in a cyberattack.

The breach was discovered on July 18, when the city found that a foreign cyber-threat actor attempted to disrupt its IT infrastructure in a potential effort to install ransomware and demand a payment from the city.

The threat actors in question belonged to Rhysida ransomware gang, the information they managed to glean involving names, dates of birth, addresses, bank account information, driver's licenses, Social Security numbers, and other identifying information. This information was posted on the Dark Web, according to the notice of data breach letter that the city sent out to 500,000 victims whose information was compromised in the breach.

After learning of the disruption, Columbus' Department of Technology identified the threat and blocked unauthorized users from accessing its systems, launching an investigation into the matter. It also took the usual steps of engaging third-party cybersecurity experts to resolve the issue, as well as notifying law enforcement.

In August, the city sued independent security researcher David Ross, seeking damages greater than $25,000, as well as slamming him with an order to stop discussing the data leak. Now, nearly two months later, both sides have come to an agreement and the case will soon be dropped.

Goodwolf wanted a dismissal with prejudice, which means the city of Columbus cannot try him again for the same reason, and will have his wish be granted but with a catch: He had to agree to a permanent injunction in which he will only be allowed to publicly share data considered public record, and only with written approval from the city.

"It's good to see the city of Columbus dropping the case, partly in response to outcry from the security community back in July," Casey Ellis, founder and adviser at Bugcrowd, wrote in an emailed statement to Dark Reading. "This is another example of shooting the messenger, and the potential for this suit to have a chilling effect on others who'd do likewise in the interest of the public is something governments, agencies, and companies should be working hard to avoid."

Don't miss the latest Dark Reading Confidential podcast, where we talk about NIST's post-quantum cryptography standards and what comes next for cybersecurity practitioners. Guests from General Dynamics Information Technology (GDIT) and Carnegie Mellon University break it all down. Listen now!

City of Columbus Drops Case on Cyberattack Whistleblower

The bug affected accounts with 52-character user names, and had several pre-conditions that needed to be met in order to be exploited.

Source: Ahmed Zaggoudi via Alamy Stock Photo

Okta has addressed an authentication bypass bug that affects those with long usernames or employers with wordy domain names.

The security hole could have allowed cybercriminals to pass Okta AD/LDAP delegated authentication (DelAuth) using just a username. However, it could only be exploited if a series of conditions were met, one of those conditions being a username that had 52 characters or more.

Though unusual, some individuals opt to use their email addresses as their usernames, making the possibility of a 52-character username not entirely out of the question.

Other conditions that needed to be met were if the user previously authenticated, creating a cache of the authentication; and if the cache was used first, which could occur "if the AD/LDAP agent was down or cannot be reached, for example, due to high network traffic," according to the authentication company in its advisory of the flaw.

The vulnerability was discovered by Okta on Oct. 30, after lurking in the system for three months. While it has since been fixed, the company recommended that customers check their logs for any odd authentication attempts dating back to July 23.

Okta also recommended that customers implement multifactor authentication (MFA) at a minimum, as this was not applied as part of the exploitation preconditions.

It is unclear whether there were any in-the-wild exploitation attempts. Okta did not respond immediately to a request for comment from Dark Reading.

**About the Author**

Okta Fixes Auth Bypass Bug After 3-Month Lull

Companies are attaching the term "AI" to everything these days, but in cybersecurity, machine learning is more than hype.

Artificial intelligence and machine learning tools are gaining traction in enterprises, and the rate of adoption is particularly notable in cybersecurity operations, where these technologies are being used to improve enterprise security posture, according to Dark Reading’s latest research on enterprise cybersecurity.

Dark Reading's Artificial Intelligence and Machine Learning in Cybersecurity survey found that enterprises are using AI and ML in a range of cybersecurity technologies, such as firewalls, endpoint detection and response platforms, security information and event management systems, and network traffic analyzers. Antivirus/anti-malware was the only security technology enhanced with AI and ML that was used by more than half of the respondents (51%). This is not surprising, as back in 2017, practitioners were already beginning to implement AI/ML in corporate antivirus measures.

Cybersecurity professionals have to match the bad actors who are sourcing AI/ML technologies for their purposes. The arms race between CISOs and their adversaries may be driving adoption of tools with AI and ML capabilities in areas such as phishing detection (49%), threat detection and response (45%), and endpoint security (40%). One third of the AI/ML integration in real-world security teams comes in the form of malware analysis (38%), intrusion detection and prevention (35%), threat intelligence (35%), identity and access management (34%), network security/network traffic analysis (33%), vulnerability management (32%), and security information and event management (31%).

About a quarter of respondents mentioned using AI/ML in user behavior analytics/predictive analytics (27%), fraud detection (27%), automated security operations (26%), and automated incident response (25%). While that is still a sizeable chunk of companies, the slightly lower adoption rate suggests that this grouping represents developing features.

For more on the impact of AI/ML on cybersecurity, download the Dark Reading report "The State of Artificial Intelligence and Machine Learning in Cybersecurity."

**About the Author**

Antivirus, Anti-Malware Lead Demand for AI/ML Tools

As businesses worry over deepfake scams and other AI attacks, organizations are adding guidance for cybersecurity teams on how to detect, and respond to, next-generation threats. That includes Exabeam, which was recently targeted by a deepfaked job candidate.

Source: Family Stock via Shutterstock

Deepfakes and other generative artificial intelligence (GenAI) attacks are becoming less rare, and signs are pointing to a coming onslaught of such attacks: Already, AI-generated text is becoming more common in emails, and security firms are finding ways to detect emails likely not created by humans. Human-written emails have declined to about 88% of all emails, while text attributed to large language models (LLMs) now accounts for about 12% of all email, up from around 7% in late 2022, according to one analysis.

To help organizations develop stronger defenses against AI-based attacks, the Top 10 for LLM Applications & Generative AI group within the Open Worldwide Application Security Project (OWASP) released a trio of guidance documents for security organizations on Oct. 31. To its previously released AI cybersecurity and governance checklist, the group added a guide for preparing for deepfake events, a framework to create AI security centers of excellence, and a curated database on AI security solutions.

While the previous Top 10 guide is useful for companies building models and creating their own AI services and product, the new guidance is aimed at the users of AI technology, says Scott Clinton, co-project lead at OWASP.

Those companies "want to be able to do AI safely with as much guidance as possible — they're going to do it anyway, because it's a competitive differentiator for the business," he says. "If their competitors are doing it, \[then\] they need to find a way to do it, do it better ... so security can't be a blocker, it can't be a barrier to that."

Related:Dark Reading Confidential: Pen-Test Arrests, 5 Years Later

**One Security Vendor's Job Candidate Deepfake Attack**

In an example of the kinds of real-world attacks that are now happening, one job candidate at security vendor Exabeam had passed all the initial vetting and moved onto the final interview round. That's when Jodi Maas, GRC team lead at the company, recognized that something was wrong.

While the human resources group had flagged the initial interview for a new senior security analyst as "somewhat scripted," the actual interview started with normal greetings. Yet, it quickly became apparent that some form of digital trickery was in use. Background artifacts appeared, the female interviewee's mouth did not match the audio, and she hardly moved or expressed emotion, says Maas, who runs application security and governance, risk, and compliance within Exabeam's security operations center (SOC).

"It was very odd — just no smile, there was no personality at all, and we knew right away that it was not a fit, but we continued the interview, because \[the experience\] was very interesting," she says.

Related:Iranian APT Group Targets IP Cameras, Extends Attacks Beyond Israel

After the interview, Maas approached Exabeam's chief information security officer (CISO), Kevin Kirkwood, and they concluded it had been a deepfake based on similar video examples. The experience shook them enough that they decided the company needed better procedures in place to catch GenAI-based attacks, embarking on meetings with security staff and an internal presentation to employees.

"The fact that it got past our HR group was interesting. ... They passed them through because they had answered all the questions correctly," Kirkwood says.

After the deepfake interview, Exabeam's Kirkwood and Maas started revamping their processes, following up with their HR group, for example to let them know to expect more such attacks in the future. For now, the company advises its employees to treat video calls with suspicion. (Half-jokingly, Kirkwood requested this correspondent to turn on my video midway through the interview as proof of humanness. I did.)

"You're going to see this more often now, and you know these are the things you can check for, and these are the things that you will see in a deepfake," Kirkwood says.

Related:Okta Fixes Auth Bypass Bug After 3-Month Lull

**Technical Anti-Deepfake Solutions Are Needed**

Deepfake incidents are capturing the imagination — and fear — of IT professionals, with about half (48%) very concerned over deepfakes at present, and 74% believing deepfakes will pose a significant future threat, according to a survey conducted by email security firm Ironscales.

The trajectory of deepfakes is quite easy to predict — even if they are not good enough to fool most people today, they will be in the future, says Eyal Benishti, founder and CEO of Ironscales. That means that human training will likely only go so far. AI videos are getting eerily realistic, and a fully digital twin of another person controlled in real time by an attacker — a true "sock puppet" — is likely not far behind.

"Companies want to try and figure out how they get ready for deepfakes," he says. "The are realizing that this type of communication cannot be fully trusted moving forward, which ... will take people some time to realize and adjust."

In the future, since the telltale artifacts will be gone, better defenses are necessary, Exabeam's Kirkwood says.

"Worst case scenario: The technology gets so good that you're playing a tennis match — you know, the detection gets better, the deepfake gets better, the detection gets better, and so on," he says. "I'm waiting for the technology pieces to catch up, so I can actually plug it into my SIEM and flag the elements associated with deepfake."

OWASP's Clinton agrees. Rather focus on training humans to detect suspect video chats, companies should create infrastructures for authenticating that a chat is with a human who is also an employee, building processes around financial transactions, and creating an incident-response plan, he says.

"Training people on how to identify deepfakes — that's not really practical, because it's all subjective," Clinton says. "I think there have to be more unsubjective approaches, and so we went through and came up with some tangible steps that you can use, which are combinations of technologies and process to really focus on a few areas."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

OWASP Beefs Up GenAI Security Guidance Amid Growing Deepfakes

A research tool by the company found a vulnerability in the SQLite open source database, demonstrating the "defensive potential" for using LLMs to find vulnerabilities in applications before they're publicly released.

Source: Krot Studio via Alamy Stock Photo

Google has discovered its first real-world vulnerability using an artificial intelligence (AI) agent that company researchers are designing expressly for this purpose. The discovery of a memory-safety flaw in a production version of a popular open source database by the company's Big Sleep large language model (LLM) project is the first of its kind, and it has "tremendous defensive potential" for organizations, the Big Sleep team wrote in a recent Project Zero blog.

Big Sleep — the work of a collaboration between the company's Project Zero and Deep Mind groups — discovered an exploitable stack buffer underflow in SQLite, a widely used open source database engine.

Specifically, Big Sleep discovered a pattern in the code of a publicly released version of SQLite that creates a potential edge case that needs to be handled by all code that uses the field, the researchers noted. A function in the code failed to correctly handle the edge case, "resulting in a write into a stack buffer with a negative index when handling a query with a constraint on the 'rowid' column," thus creating an exploitable flaw, according to the post.

Google reported the bug to SQLite developers in early October. They fixed it on the same day and before it appeared in an official release of the database, so users were not affected.

Related:News Desk 2024: Hacking Microsoft Copilot Is Scary Easy

**Inspired by AI Bug-Hunting Peers**

"We believe this is the first public example of an AI agent finding a previously unknown exploitable memory-safety issue in widely used real-world software," the Big Sleep team wrote in the post. While this may be true, it's not the first time an LLM-based reasoning system autonomously found a flaw in the SQLite database engine, Google acknowledged.

An LLM model called Atlantis from a group of AI experts called Team Atlanta discovered six zero-day flaws in SQLite3 and even autonomously identified and patched one of them during the AI Cyber Challenge organized by ARPA-H, DARPA, and the White House, the team revealed in a blog post in August.

In fact, the Big Sleep team used one of the Team Atlanta discoveries — of "a null-pointer dereference" flaw in SQLite —  to inspire them to use AI "to see if we could find a more serious vulnerability," according to the post.

**Software Review Goes Beyond Fuzzing**

Google and other software development teams already use a process called fuzz-testing, colloquially known as "fuzzing," to help find flaws in applications before release. Fuzzing is an approach that targets the software with deliberately malformed data — or inputs — to see if it will crash so they can investigate and fix the cause.

Related:Privacy Anxiety Pushes Microsoft Recall AI Release Again

In fact, Google earlier this year released an AI-boosted fuzzing framework as an open source resource to help developers and researchers improve how they find software vulnerabilities. The framework automates manual aspects of fuzz-testing and uses LLMs to write project-specific code to boost code coverage.

While fuzzing "has helped significantly" to reduce the number of flaws in production software, developers need a more powerful approach "to find the bugs that are difficult (or impossible) to find" in this way, such as variants for previously found and patched vulnerabilities, the Big Sleep team wrote.

"As this trend continues, it's clear that fuzzing is not succeeding at catching such variants, and that for attackers, manual variant analysis is a cost-effective approach," the team wrote in the post.

Moreover, variant analysis is a better fit for current LLMs because its provides them with a starting point —  such as the details of a previously fixed flaw — for a search, and thus removes a lot of ambiguity from AI-based vulnerability testing, according to Google. In fact, at this point in the evolution of LLMs, lack of this type of starting point for a search can cause confusion, they noted.

Related:OWASP Releases AI Security Guidance

"We're hopeful that AI can narrow this gap," the Big Sleep team wrote. "We think that this is a promising path towards finally turning the tables and achieving an asymmetric advantage for defenders."

**Glimpse Into the Future**

Google Big Sleep is still in its research phase, and using AI-based automation to identify software flaws overall is a new discipline. However, there already are tools available that developers can use to get a jump on finding vulnerabilities in software code before public release.

Late last month, researchers at Protect AI released Vulnhuntr, a free, open source static code analyzer tool that can find zero-day vulnerabilities in Python codebases using Anthropic's Claude artificial intelligence (AI) model.

Indeed, Google's discovery shows promising progress for the future of using AI to help developers troubleshoot software before letting flaws seep into production versions.

"Finding vulnerabilities in software before it's even released means that there's no scope for attackers to compete: the vulnerabilities are fixed before attackers even have a chance to use them," Google's Big Sleep team wrote.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Google: Big Sleep AI Agent Puts SQLite Software Bug to Bed

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

When you let go of that trapeze, you really want your teammates to be ready to catch you. Send us a cybersecurity-related caption to describe the above scene and our favorite will win its wordsmith a $25 Amazon gift card.

Here are four convenient ways to submit your ideas before the Nov. 27, 2024 deadline:

• Email \[email protected\] with the subject line "Edge November Toon."

• Via social media: X, Facebook, and LinkedIn. (If you win, we'll respond to you on the same platform, requesting your email address.)

**Last Month's Winner**

Shout out — and a $25 Amazon gift card — to Joseph Ayella, a recurring winner, for sending us the winning caption for last month's "And For My Next Trick..." cartoon.

"I call this trick the woman-in-the-middle attack."

Some noteworthy contenders included: "All we could get was half a FTE for security assessments," "And with this SIEM solution, we could cut a half of our SOC analysts," and "I'm glad he's not the hacker." A big thank you to all who participated.

**About the Author**

John Klossner has been drawing technology cartoons for more than 15 years. His work regularly appears in Computerworld and Federal Computer Week. His illustrations and cartoons have also been published in The New Yorker, Barron's, and The Wall Street Journal.

Source

DARKReading